Infinite Loop —

Mac OS X has its own sandbox security hole

Mac OS X appears to have at least one potential security flaw in its current …

Move over, iOS: CoreLabs Research has posted a public notification of a potential security vulnerability in Mac OS X's sandboxing mechanisms. According to CoreLabs, it's possible for sandboxed apps to trigger external processes that aren't sandboxed and possibly gain privileges not granted by a particular sandboxing profile. The revelation comes shortly after Apple announced it would force apps distributed via its Mac App Store to use sandboxing, ostensibly to increase security for Mac OS X users.

Apps that conform to Apple's sandbox design use a set of "entitlement" profiles defined by Apple; those profiles determine which system resources it can use and which are off limits. CoreLabs discovered that some of the limits in the default profiles can actually be circumvented by triggering certain Apple Events. In particular, Apple Events can cause launchd to launch a separate process without sandbox restrictions.

CoreLabs explained that a default profile that restricts an app from network access, for instance, could open a socket via osascript, thereby working around the network access restriction. Beyond the obvious potential for a malicious app to break out of the sandbox, these default profiles also set a potentially bad example for developers who think they are locking down their apps properly. "If the no-network profile allows AppleScript events, this may result in new applications using the same restriction rules, therefore offering a false sense of security," CoreLabs explained in its vulnerability report.

Senior Product Manager Alex Horan criticized Apple's response to the vulnerability as well—the response being nothing, mostly. After being notified of the vulnerability, Apple apparently decided to merely modify its documentation to point out "that the restrictions that these particular sandbox profiles provide are limited to the process in which the sandbox is applied."

Horan believes this could leave users at risk. He noted that similar sandboxing profile vulnerabilities were discovered by security researcher Charlie Miller in 2008. "At that time Apple modified the profile to prevent the vulnerability reported from being triggered, so the question remains: why has Apple chosen not to do that in this instance?" he wrote.

If Apple's response to sandbox flaws is to ignore them—as it appears to have done in this case—then users will end up with apps limited by the sandboxing restrictions without the improved security they were promised.

Of course, developers are still debating whether Apple's sandboxing requirements will actually improve security or not. Security researcher Jonathan Zdziarski told Ars that he believes the potential downsides aren't worth the supposed security improvements. Noted Mac OS X developer Wil Shipley wrote that sandboxing simply isn't an elegant solution to security issues on the desktop as it has been on iOS. "[Sandboxing] entitlements are a binary solution—if there’s a hole anywhere in it that malware authors find, then there’s really not much Apple can do until they issue a full operating system patch," he wrote.

I don''t know why, more than a decade after security issues have been rampant, we should presume that Apple will have a perfect technology on day one. There's always the tradeoff between what a user wants to do and what is risky; certainly this'll require some fine-tuning.

In the meantime, the current sandboxing will be a first approximation to a good solution. Soon, a second approximation. …

What? The computer brand that claims that it is so secure that you don't need an anti-virus or a firewall. Future lawsuit in the making.

In many years of using Mac OS X, I and my family have yet to encounter a single security issue. Why would we need an anti-virus? As for a firewall, Mac OS X has one. Of course, you wouldn't know that since you apparently have never touched a Mac in your life.

What? The computer brand that claims that it is so secure that you don't need an anti-virus or a firewall.

Please point me to a documented instance of such a claim. I have never seen one.

I'm 95% certain this (the antivirus part, not the firewall part) was on their site about five years ago, but I'm leaving in five minutes to go play Skyrim, so I'm not gonna pour through archive.org to find it

What? The computer brand that claims that it is so secure that you don't need an anti-virus or a firewall. Future lawsuit in the making.

In many years of using Mac OS X, I and my family have yet to encounter a single security issue. Why would we need an anti-virus?

Macs are starting to become popular targets given the increase in market share. Doesn't necessarily mean you need anti-virus (I don't use one on Windows and I've never had a problem), but it's something Mac users should be aware of.

I don't get it. The fact that sandboxed programs can spawn programs with different restrictions (or no restrictions at all) is a feature.

On iOS, sandboxes exist mostly to restrict developers, and there should be no way to get elevated privileges or run unsigned code because those two practices are against the philosophy of the environment. On Mac OS, sandboxes are a security feature that needs to be workable because the needs are different.

The whole debate should be about whether sandboxes are useful in their current form, not about you can circumvent them.

On iOS, sandboxes exist mostly to restrict developers, and there should be no way to get elevated privileges or run unsigned code because those two practices are against the philosophy of the environment. On Mac OS, sandboxes are a security feature that needs to be workable because the needs are different.

on iOS, the sandboxing exists to ensure things work like they should. yes it can be somewhat restrictive on the development end, but that's not the end-goal, it's just a side effect.

Please point me to a documented instance of such a claim. I have never seen one.

I'm 95% certain this (the antivirus part, not the firewall part) was on their site about five years ago, but I'm leaving in five minutes to go play Skyrim, so I'm not gonna pour through archive.org to find it

Also known as "no such evidence, so I'm going to be as vague as possible to avoid further contradictions".

It's like the trolls don't even try anymore. One moronic comment after another. In the old days they'd do their research and post something incisive, but these days it's just "duhh your next Machead!" or "duhh Apple sez ya never need security and lookee now hur hur." It's just sad, especially when there are legitimate problems out there but bozos like this can't find them without a map, a guide and three friends to shout encouragement.

We've got some real anti-Mac people at Ars who have done their research and know what they're talking about. You've got to respect that, even if you disagree. But we've also got the basest of trolls, and it's just sad.

"...if there’s a hole anywhere in it that malware authors find, then there’s really not much Apple can do until they issue a full operating system patch..."

Well, DUH! They'll try to exploit any loophole they find. That's what they do, anywhere, on any system. You then patch that hole and any others like it, then wait to see if they find another one. Rinse. Repeat as needed.

Occasionally you go proactive and try to make their job even harder, like implementing the sandboxing model, entitlements, or things like address space layout randomization (ASLR).

How did Wil Shipley become a "Noted Mac OS X Developer?" I hope it wasn't by making inane statements like that one?

"...if there’s a hole anywhere in it that malware authors find, then there’s really not much Apple can do until they issue a full operating system patch..."

Well, DUH! They'll try to exploit any loophole they find. That's what they do, anywhere, on any system. You then patch that hole and any others like it, then wait to see if they find another one. Rinse. Repeat as needed.

Occasionally you go proactive and try to make their job even harder, like implementing the sandboxing model, entitlements, or things like address space layout randomization (ASLR).

How did Wil Shipley become a "Noted Mac OS X Developer?" I hope it wasn't by making inane statements like that one?

I think the idea is about the sense of security a person has using the appstore. Apple is trying to cultivate a sense of trust, but if an exploit in the sandbox isn't caught right away, it erodes the sense of trust, not just in Apple, but in the whole concept of a cultivated app store, and in all the apps in the store.

Would it make sense for processes to inherit sandbox permissions, just like their environment? That probably doesn't help if the nefarious app is using launchd to fire up the process but perhaps it would be something.

"...if there’s a hole anywhere in it that malware authors find, then there’s really not much Apple can do until they issue a full operating system patch..."

Well, DUH! They'll try to exploit any loophole they find. That's what they do, anywhere, on any system. You then patch that hole and any others like it, then wait to see if they find another one. Rinse. Repeat as needed.

Occasionally you go proactive and try to make their job even harder, like implementing the sandboxing model, entitlements, or things like address space layout randomization (ASLR).

How did Wil Shipley become a "Noted Mac OS X Developer?" I hope it wasn't by making inane statements like that one?

I think the idea is about the sense of security a person has using the appstore. Apple is trying to cultivate a sense of trust, but if an exploit in the sandbox isn't caught right away, it erodes the sense of trust, not just in Apple, but in the whole concept of a cultivated app store, and in all the apps in the store.

This.

If you're going to promote the benefits of a walled garden, you gotta make sure that there aren't a lot of weeds.

Security issues can strike any OS. Mac's are not immune but they are also not the big target. At any one time someone can probably find a hole in any OS. That does not mean shut your computer down and go hide under a rock. It makes for good press and I am sure it sells some Anti virus software. I run both Mac's and Windows 7 PC's. None of which have had any kind of virus,worm, or malware for a long time. I think the last was a attempt to attack my PC with a Fake Anti virus trick. Its been some time since I have read anything about a widespread out break of anything that attacks and harms or steals information. I am not saying relax its nothing. I am saying stop taking the fear mongering articles seriously because they are just filler for the news.

One would think you'd get tired of saying that after a decade, but you've clearly got time on your hands.

This is why comment forums need a "signal/noise" feedback rather than "like/dislike". Trolls such as this would get swept away as noise.

Bro - listen to me, it doesn't matter how many times you correct these idiots they'll keep saying the same thing, why? because the claim that some how what a fanboy says represents official Apple policy. Just because some random fanboy says, "you don't need an anti-virus" or "Mac's are perfect" doesn't meant that it is official Apple policy but far too many here unfortunately claim that one represents the other. Most of these Mac haters have never used a Mac in their life and if they have they're so jaded with Windows bias it is pathetic to watch - never used an alternative operating system or hardware in their life they some how believe that Windows is the be all and end all, quite frankly it is pathetic.

Personally I wouldn't mind if this was some random website on the internet but for Christ sake, this is Arstechnica - a technology orientated forum where I expect that contributors in the forum to have at least an IQ about room temperature and appreciation of technology regardless of the organisation behind it. Some of the dumb shit I see here I really wonder why they're here in the first place - they have no interest in science of technology so why do the hang out here? 4chan not refined enough and they've had their ass kicked too many times via down votes on Reddit?

One would think you'd get tired of saying that after a decade, but you've clearly got time on your hands.

This is why comment forums need a "signal/noise" feedback rather than "like/dislike". Trolls such as this would get swept away as noise.

Bro - listen to me, it doesn't matter how many times you correct these idiots they'll keep saying the same thing, why? because the claim that some how what a fanboy says represents official Apple policy. Just because some random fanboy says, "you don't need an anti-virus" or "Mac's are perfect" doesn't meant that it is official Apple policy but far too many here unfortunately claim that one represents the other. Most of these Mac haters have never used a Mac in their life and if they have they're so jaded with Windows bias it is pathetic to watch - never used an alternative operating system or hardware in their life they some how believe that Windows is the be all and end all, quite frankly it is pathetic.

Personally I wouldn't mind if this was some random website on the internet but for Christ sake, this is Arstechnica - a technology orientated forum where I expect that contributors in the forum to have at least an IQ about room temperature and appreciation of technology regardless of the organisation behind it. Some of the dumb shit I see here I really wonder why they're here in the first place - they have no interest in science of technology so why do the hang out here? 4chan not refined enough and they've had their ass kicked too many times via down votes on Reddit?

So, program A which can't do X can launch Program B (also sandboxed but seperately) that can do X. Well, BFD, as long as program A can't USE program B directly to ITSELF gain that access, program A still can't do X...

Any "vulnerability" here seems to assume that two completely separate programs, at least one malicious, and the other either flawed and/or not sandboxed at all, have to both already exist on your mac. Also, if it was the intent to be malicios, WHY SANDBOX AT ALL!?!?!?! Apps in the store are curated, but you can (and thanks to USA vs IBM 1964 always will be able to) install apps through other sources.

A virus will not be a sandboxed app. non-sandboxed apps will continue to exist (until the LAW changes, not apple's position, which btw, is for non-store apps to always be available, as this is critical to beta, enterprise, virtualization, and a whole series of other examples THEY gave us).

Even if someone put an app in the store, and it turned out malicious, and somehow could use a SECOND app to exploit some other as yet unexplored vulnerability and actually truly operate outside it's sandbox, the user has to a) have voluntarily downloaded it and b) Apple can recall the app remotely uninstalling it, and c) Apple would have the malicious dev's contact info, who would be a resident of the USA (or nation in question), to had over to authorities. See, getting a mac dev account is not quite as simple as can easily be done using false data, they'll find that dev, and any damage should be highly limited.

Also, yea, other people pointed out: Apple does not discuss Apple's security plans for fixing publiched issues. In the end, they also 99% of the time fix them, but on a priority basis. This is but a proof of (limited) concept, very low risk, and nothing in the wild being exploited. Its a THEORY of how someone MIGHT (one day) come up with a combination of exploits even this hacker could not figure out a complete model for.... and it requires a user knowingly installing 2 apps.... its the lowest of low risk...

Please stop linking to factual information, hearsay is so much less confusing for the trolls.

I think they may have been referring to Apple's long-standing claim that they "don't get PC viruses". Which is true, if just a teensy bit misleading to a non-tech user. They get Mac viruses (well, at the very least, all I can think of is that trojan requiring the user to enter their password from the pirate iWork? stuff) instead.

Really, isn't Apple implementing this at all an indication that the OS could be more secure? If they were really as bulletproof as some speds claim, why would they need to do this at all?

For me, it isn't the implied attitude that Apple doesn't need A/V, it's the idiot customer who think it's something Apple did all on their own. No, what Apple did was put a pretty GUI on BSD. The stability and security weren't much on Apple's part, it was the decades of UNIX and BSD developers responsible for that.

Personally, I'm waiting for someone to release something dangerously malicious on OS X, just to show that it can be done - let Macs get hit like Windows got hit by Conficker, and we'll laugh and laugh.

In the meantime, I think Apple might be a little premature with this. It sounds too restrictive to too many useful programs, and obviously hasn't gotten all the security bugs ironed out yet.

It sounds like a pain in the ass, like UAC on Windows - that's the first thing I turn off on Windows, and I've never had a problem. I've cleaned up enough systems to know that there has to be a better way, though. Too many people will put their credentials in without even questioning what's prompting it so that even UAC becomes useless (and a giant hassle.)

So, let Apple do what they do - show MS & the Linux people that it can be done, and it doesn't have to be the ugly mess that came before (eg, years of horrible Win tablets vs the iPad - I'll concede to understanding the appeal of the iPad, although I don't want one. Also, I hate Apple with a passion. If I'm willing to concede that much to them, that's a huge sign MS was doing it wrong.)

Bro - listen to me, it doesn't matter how many times you correct these idiots they'll keep saying the same thing, why? because the claim that some how what a fanboy says represents official Apple policy.

Actually, they do it just because it quite obviously gets under your skin.

Is it me or is it the possibility that we've become oblivious to past histories on Apple and it's now revisionist to an extent. May I remind you if Apple denies a problem existing it isn't technically an "identifiable problem". I shouldn't have to link to the infamous "your holding it wrong" issue on addressing lost signal during calls. I shouldn't have to bring up how memos regarding the malware macdefender was making its path around cyberspace. I shouldn't have to also add that updates made to address problems and issues are released publicly to inform customers also if what the purpose of the patches are.

It's also the burning issue of understanding what is really the problem: the fact that it's an Apple product or the fact that it promotes a sense of security that is in actuality a false security?

Yes I use Mac and Windows and I think Charlie Miller had the best comment to describe security: Windows is like living in the worse area in town with barred windows and all of the security devices possible while Macs are like living in the rural country and leaving your doors open.

Frankly assuming Apple fixes stuff behind the scenes once they become public also ignores extensively the track record Apple has in investigating claims and exploits reported to them; they usually don't always take such exploits seriously.

Would it make sense for processes to inherit sandbox permissions, just like their environment? That probably doesn't help if the nefarious app is using launchd to fire up the process but perhaps it would be something.

(Forgive me if this is stupid, I am not a security expert)

Unfortunately, no, you can't do that. The point of the sandbox is that, for instance, your main program cannot write to the disk, but it can invoke a helper that has the correct entitlements.

For instance, say that I craft a malicious file for program A that exploits a vulnerability in the application to execute arbitrary code (like "delete every file on the drive once this document is opened"). If application A is sandboxed in such a way that it can't access the drive, it obviously won't work. The problem is, if it can't access the drive, it's gonna have a hard time opening any document at all. So, it can launch a new process that is entitled to read from the disk (and only to read from the disk), read the data from there, and have it passed back to program A. This way, an attacker would have to figure a vulnerability in program A and a way to exploit it through other processes sandboxed in different ways to do something actually harmful.

The proof-of-concept code posted by CoreLabs is interesting. Hearing once again, for the thousandth time, that the mac virus apocalypse is nigh, is really boring. Yawn. The sky is not falling, little trolls.

Not a fan of the trolling here, and personally use both platforms a lot, but...

Apple repeatedly brought up the required installation of anti-virus on the PC as a disadvantage compared to Macs on their I'm a Mac adverts. Consciously or subconsciously consumers can only be expected to glean from that that Macs don't need anti-virus. That their own knowledge base contradicts their sales pitch is hardly a defense.